Security fixes are applied to the latest released version of processkit. Older versions are not maintained — upgrade to the latest release to receive fixes.

Do not open a public issue for security vulnerabilities.

Report privately through GitHub's private vulnerability reporting (repository Security → Advisories → Report a vulnerability). If that is unavailable, contact the maintainer listed on the ZelAnton profile.

Please include:

• a description of the vulnerability and its impact;
• steps to reproduce (a minimal proof of concept is ideal);
• affected version(s).

You can expect an initial acknowledgement within a few days. Once a fix is ready, a patched release is published to PyPI and the advisory is disclosed.

• CodeQL runs GitHub's static analysis (security-and-quality queries) on every push and pull request to main, and on a weekly schedule. Two parallel jobs cover Python (interpreted, no build step) and Rust (compiled via cargo build --features extension-module).
• pip-audit runs in CI on every pull request and every push to main (the pip-audit job in .github/workflows/ci.yml). It scans the resolved Python dependency tree against the PyPI Advisory Database and fails the build on a known vulnerability.
• Dependabot opens weekly pull requests to keep GitHub Actions, Python packages (uv ecosystem), and Rust crates (cargo ecosystem) current, so advisory fixes land promptly.